×

Method and system for determining whether domain names are legitimate or malicious

  • US 9,516,058 B2
  • Filed: 08/09/2011
  • Issued: 12/06/2016
  • Est. Priority Date: 08/10/2010
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the method comprising:

  • obtaining passive domain name system (DNS) query information, utilizing the at least one reputation engine in communication with at least one database, wherein the passive DNS query information is obtained using passive DNS collectors from DNS information;

    utilizing, using the at least one reputation engine, the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and

    utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign.

View all claims
  • 14 Assignments
Timeline View
Assignment View
    ×
    ×